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Foreword 



The InlerneL. since ils debut in l'JH'A lias revolutionized commerce. 
o.Miinn:iiiealio[i. milium action. :i:i.J gou'rminoe Much of the modern world i~ 
simply :nconcoi\ able w ilhoul it This rcvolulion. however, has mil cinno without 
a price. The annual cost of cyber enmc has now climbed to more than SI 
trillion, while coord 1 iiiited cyberallaeks have crippled lertoiua. Georgia, and 
Kvrgv/sian jr.d compromised critical infrastructure in countries around the 
norlJ While no fewer limn six 1 "N bodies ami multiple regional and naunua! 
forums have soitghl to build a consensus on (he fnliire ol' lntcniol governance, 
thcie has been little progress thus far. The United Stales lias hugely abstained 
from these discussions, instead focusing mi developing ils own offensive and 
defensive ovhcrseiairiiv c.ipahih lies while eiilrustiiig Tie oncomg si abili Iv of fie 
system to the expertise of the private sector. 

!:i litis Council Special Report. Robert k Knake briefly e\aniines fie 
lochnological decisions lhal have enabled both the Inleniel's speclaeulnr success 
and its troubling vulnerability to attack. Arguing thai Ibc United States can no 
longci cede the initiative on c\ her issues to countries that do not share its 
interests, lie nullinc- a:i agenda thai llie I hilled Stales can pursue in concert w ith 
ils allies 011 llie internal i 011:1 1 -Uipe Tin - agenda, addressing cyber w arfare e> ber 
crime, and stale-sponsored espionage, should, he writes, be pursued through 
both technological and legal means. He urges first that the United Stales 
empower experts lo confront the fundamental securilv issues al llie hearl of the 
Inlernel's design Titer, lie sketches die legal tools necessary to address both 
c\ber crime and slate-sponsored activities, including nalioual iirobibilions of 
c\ bei ci line, multilateral mechanisms lo picvcnl and prosecute eybei altaeks. and 
peacetime norms pioleclutg critical civilian osteins, before dcscrihing Ihe 
bureaucratic reforms tlie United Sialcs shoind make to implemenl effectively 
these changes. 

Internet Governance in an Age off 'yhcr Insecurity is a timely contribution on 
an issue increasingly capturing the attention of policymakers. II presents 
technical ideas lo the nonexpert in accessible and compelling language I he 
reporl leaves liule doubt abmil ihe imporlanee of cvberseeurilv 10 die future of 
bolh Ihe I hilled Slaies and the Iniemel itself, and ils recommendations provide a 
strong foundation for future action. 

Richard N. Haass 
President 

Council on Foreign Relations 
September 2010 
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Introduction 



Ihe United Slates is being oiuinaiiciivcrcd in I In.- international forums that will 
Jv.- 1 l-L"I n i lit- the future of ".be IiKi.tiii.-I I cd hv liti—ia and L'jjii.i. noiidc:u'icr:Uic 
regimes arc organizing into a unrled front to promote, u vision of the internet [lint 
is tightly controlled by stales. That vision is nictt; jkii iyl> attractive to many 
Western nations wrestling will) ii net- re-luted threats of cyber crime, industrial 
espionage, and evher warfare, fhc United Slates must aelivelv eomhal these 
threats while it works lo protect U S. national interests m the preservation and 
extension of the Internet as a platform for increased efficiency and economic 
exchange. I'rolcclmg this interest rco.uiics fai more cUcnsivc engagement w illiin 
tiilernel governance forums lo shape the future of the network in a wa\ that 
addresses seeurilv ivureiiis wiihoal resulting in a cure thai is worse than tile 

disease. 

In pursuit of this abjective, the United Slates should he jiuided by three 
principles. First, it should lake a networked and distributed approach lo a 
networked and dislrihalcd problem. No single forum can adcijualch address tins 
sel of issues, hislcad. ii needs to nurture solutions through wide engagement 
across a broad set of forums. Second, the United Stales should move toward 
liiili.lii'.i: stale- accountable for llicir actions and those of their eili/ens and 
systems in cyberspace. Though the United Sialcs caimol e\pccl countries lo 
prevail all malicious behavior, il can c\pccl llicni to secure their networks to a 
reasonable si ;ijilI ;i IlI . pass laws outlawing inlernalional c\ her crime, and have 
mechanisms in place u> act on requests fur assignee in -hulling ilown attacks, 
and investigating iiiul prosecul mg them. Third, the United Slates should lead by 
example. II should take steps to clean up its nalional nciwork. work (o stop its 
s\ slcms from being used in mlerii.itional cvheraliacks. prioritize criminal 
inve-.lignlion mI' a\ beratlaek- with foreign viiainis and make clear thai the 
primary goal of its military efforts in cv herspaee is lo defend Ihe I lulled Si ales 
and presei-ve international connectivity. 

These principles should he applied to a three-part agenda. Ihe United States 
should work lo dc\ clop a stronger set of international regimes lo fight crime in 
ov herspaee. moving hev ond Ihe c hitch I (."ounoil of I in rope (.'on vent ion In draw 
in non-Western slates, and develop real-lime mechanisms lor collaborating to 
stop cv. licrattacks us progress and [iwcsligate allaeks across borders. Addressing 
cv her crime alone, howev er, w 111 ant secure cv herspaee Slate ac'.ors should also 
be con -Ira nice lliiouga 'lie developmcni of new norm- I be I "niicd Slate - sir. ail J 
not feur lalks on these issues and should pursue Irealies lo protect the core 
functions of the Internet and ban distributed dcmal-of-sci \ ice attacks It should 
also rcmvigorate efforts lo secure the liitcrucl's underlying technologies, which 
were developed decades ago fur a eifi'erer.l purpose '.nan :hcv are being u-ed for 



Finally, the United States should esiabhsh die mechanisms uithin its own 
government to pursue these agendas. Stronyi;i- While House leadership is 
necessary to keep die agencies mil; iulercsls in limv tliL' Iniurncl is developed 
focused i'n N S national mlcresls lliu issue nl' Inieruel governance iiilliin Ihc 
Sl;Uc Depai-lmcnl should he dialed In a new bureau focused on cyber affairs, 
and that bureau should be given (lie mission of winking to improve seeunty of 
c\ hcispace di rough iulemalioiial engagement The jiri\ ate sector should also be 
given a sirongei" voice on Ihce issues :;nd nicol"i;i:i]sirr-. developed for companies 
to both shape U S polity and coord male ilieir nun positions. 



Background 



Sinuo the carlv davs of the Internet, its main architects and r-.Lijipi.ii ;i.T^ have 
snug hi L ■ limit the role i if in i'. crnmcnls in ihe network • design, operation. :;nd 
gBvenwaee, While the Internet is the product of decades of U.S. 
km erntnen [-fluid ed research. I he computer .scientists who developed the 
piolocolr. ill ill todav "s network i Litis on Unsigned Ihoin so llial no cclllral opL'faloi 
of Ihe network would be necessarv. ' I'll rou about the pasl Ihroe decade's, 
succcssn o ptv-iiLiiiial adminislraiion-. have coiiMstcmlv iaken a hands-off 
approach lo the develop merit of the network to allow the Internet to grow 
witluiut government involvement that could Laic limited of slallcd its dramatic 
expansion litis approach has hccii extended into the mlcmalioi'.a! arena, v. be if 
Ihe ! hituvi Males has maintained conlrnl ol' ihe one necessarv aomponenl ■. 1 1~ Iho 
Internet's underlying arch ilea lure thai must he actively managed — the Domain 
Name System (DNSI— hut has otherwise taken the position that the tolc ol' 
ao\ i.-mn;e:ii- in managing die network should remain Inniled. the rise ol' evhef 
entile, the emergence of ovber e-pionago. ami the -.ix-uli'i' of cvber warfare ha\c 
led many foreign government lo exert sovereign authority over iheir nclworks 
and (0 press international orgiiiu/.alious to take up these issues. 

UNDERSTANDING THE THREAT 

(.V her crime carnage 'o Ihe global econojm i- estimated til more il'.an 1ii trillion 
etieh year.- Sophistical til tillaeks targeliiig intelleelnal properly ol' l-'orlune 501! 
eoinpatues are becoming routine. Stale actors are entering the miv developing 
holh oiteiisi\ e and defensive capabilities in a new form of arms racing. I he 
I 'lilted Siales is in ihe process of slatting Lip Cvber (.'omnia nil. new com ha la: H 
command charged with both offensive and defensive operations in c\ hcrspacc 
thai will he headed by a four-star general. At least four oilier countries have 
developed advanced offensn c c\ her opei a: ions capahihlics and more than one 
hundred bave begun to organ i/e evher warfare units. = 

These capabilities have not been confined to the lah. hi 2tl()7. Kstonia suffered 
:t nahotial-levei denial-of-scf. ice attack that look ihe enlire nation offline for a 
week, affecting government, telecommunication, and financial networks.- A 
year later, when Russia invaded Georgia. Ihe ground and air forces were 
preceded by an onslaught in cyberspace. These eail\ conflicts in cyberspace ate 
likek harbingers ol' far worse attacks. Researchers have demons! rated the 
eaptihiliu tv i Li-e cvheralLicks to desiro-. financial records, iuru of!' ihe power, 
and disrupt networks necessan lor mililary operations Critical inlraslrucliirc 
sectors — including power, oil and gas. and water and sewer — are nicicasingb 
targeted .- 



INTERNET GO VERNA NX E TO DA Y 



As a network of" nciworks. llie [nicrnct haw no centra] authority to control ll 1 
New Leehiucal standards for 1 lie protocols tliat make the Internet function aic 
developed through an iterative "Teeniest for comment process managed h\ the 
Internet Engineering Task Force (IETF) and adopted by the technical 
commtimly on a consensus basis. Recognizing Ihe need for a centralized 
authority to assign Unique name and number identifiers, llie Domain Name 
Svslcm was developed m tile earlv I'JK'is. The role of allocating il' addresses 
and managing Ihe root /one llbe name, and If addresses of die .lulliorfalivc 
I >NS scners for all (op-level domains such as .com) was handled by a single 
individual. Jon Fostek lor almost two decades.- In 1'WS, the U.S. Department of 
Commerce created die Ink-met C< uporaiion I'm' Assigned Names and Numbers 
lo oversee the management of this svstcm "I' unique identifiers 

ICANN operates llie only centralized svslem necessary to keep Ihe Internet 
functioning ICANN fulfills lliis important role at minimal cosl and is lakiug 
measures to address security issues willnn its mandate. Mam Internet pioneers 
and supporters is' Internet frccLhun maintain thai llie assignment of these usiKj'.ie 
identifiers :s llie imlv necessary Internet governance function. Successive US 
administrations have largek agreed, limiling U S government imolvemenl and 
seeking to keep oilier governments from attempting to exert anihoril\ over the 
ne In oi k m okIce to allow il to grow unencumbered. Tile 1 ismg udc of malw aic. 
rampant iJentilv theft, financial crime, terrorist use of the Internet, 
unprecedented lei els of corporate espionage, and die ilcdopmciti of offensive 
cyber warfare and cyber cxploilal.ion capabilities by slate actors, however, 
suggests that stronger and more expansive governance may be necessary lor the 
internet to grow and coiiiinuc to add \aiue to aloha! commerce and enrich llie 
daily lives of billions. 

Given [he eosls of crime, the economic Ihretil of industrial espionage, and the 
increasing liiililari/aliou of cyberspace, the laissez-faire approach that the 
I limed States has taken toward Internet governance over the past decade can no 
longer be su-aatned. I hough lodav - Internet is the product of a collaborate c 
effort by Ihe U.S. government, private sector, and academic commimiiv. 
Inslorieal bragging righls do not translate into control of llie Inlemefs future. If 
the United Slates fads 10 provide the Icadcislup necessary to address the security 
problem-., other slates will step in. If the current Internet is a reflection of the 
openness and innovation tha; are hallin.n ks id' American soetclv. ihe [tilernel of 
Ihe future envisioned by Russia and China would rellect Iheir societies — closed, 
dysfunctional, state-controlled, and under heavy surveillance. 

NEW INTERGOVERNMENTAL INITIATIVES 

(.liven the securilv concern-., manv countries are pressing new initiatives to 
secure c\ berspacc in a dizzying number ol' mlemational forums that are now 
vying I'or a role in Inlcrnel governance, uicludmg at least half a dozen entities 
v: ill 1 1 1'. ;:ic I lulled Nali'si-. alone Regional groups including llie Asiad'acific 
f eonomie (.'ooperalion (Al'HC) forum, the < Jrgam/alion I'or Economic 



Cooperation ;iml Dcvclopmcnl (OfX'Dh and the Organi/anon of American 
Stales (OAS) — ;uu also active. The Russian government lias been pushing since 
I'.'vS fiii" a I N Irealv tn address conflict :n c\ hcrspacc. ReeeniK . however, the 
idea has hcuun in iiisin momentum. I he concept received support at the Twelfth 
1 hiited Nations Congress on Crime Prevcnlion and Criminal Jnstiee in Salvador. 

Brazil, in April 2010.- Hamadoun I. Toure, the secretary -general of the 

inlci n:;l]o:iiL . elccommuiiica: ion '. hiiuii ■; M 1 1 .■. is active^ puisiim_j such a lie at v 
and receiiih called lor UN conference th, it would define a "blue print for a 
s> .si em -wide approach" to cy oersecurily . - 

Sucli an outcome is clearly counter lo U.S. interests. As an organization, the 
ITU is not designed to manage an issue as complex as cybci security and lias no 
mandate lo address issues of crime or interstate conflict. As a slate-cenliie. 
inlcrcu'.iTiimcnUd orcum/alion. ihe I TU is also nol set up lor iionuovernmei'.la! 
organizations and ihe pnvale sector lo participate m ihc discussion Countering 
the momentum behind llus initiative will require more than just ignoring it or 
arciiiiiLj a j a :nsl i:. .Mo\ nig hevond the ICANN functions. Ihe I ruled Slate- must 
work cooperatively with oilier countries to develop a heller mechanism for 
international coordination lo combat cyber crime, develop norms for warfare in 
c> bcrspacc. and promote the development of a new. secure suite of Internet 



Rethinking U.S. Interests in Cyberspace 



I be ! hilled Stales' a\ ci riding national inlcresl in evberspace in In preserve ;mi_l 
cxlcnd the Internet a-- j tool for economic effioienev at home and as a faci hlaior 
fur economic exchange internationally The current level of criminal activity, 
espionage and preparation of [he battlefield in c\ berspnee threatens to stall if 
mil wipe oul the economic gains produced hv llie nctwoikmg of svsLeins over 
the past two decades Moreover, an overreact ion to these threats could be 
ci|tial!v devastating In seeking lo improve security in cyberspace, llic United 
Stales must work lo preserve (he core allnbnles of (be network that make it BO 
valuable for economic exchange, innovation, openness, and limited governance. 
These attributes in, ike the network flexible, so thai new uses can be developed 
rapidlv. and scalable, so that millions of new users and devices can be cornice; ed 
each year, expanding the free flow of ideas and Ihe reach of international 
eoiimicrce. Addressing problems of security in cyberspace at tile expense of 
lliese ali lib a les would not serve I .'.S. national interests. 

The tremendous gams in economic productivity over the past two decades are 
the direel result of Ihe expanded use of the Internet for communication, 
collaboration, outsourcing, i-isl in time im.enlon management, and the control 
of industrial processes Inlemationallv. the surge m global trade in both goods 
and services that has lakcn place could not have happened without the Inleniet 
as an enabling technology. Malicious activity m cyberspace threatens these 
svstcms. In Ihe area of corporate espionage alone, manv companies arc 
beginning : a uuestioti the wisdom of using ihe Internet to allow around-the- 
clock research and development across lime /ones due lo Ihe loss of intellectual 
properly from attacks. 

As the mosl wired nation in the world. Ihe United Stales is also the most 
vulnerable to de-niplive aelm'.v :n c\ berspace. he il Ihreais in Ihe sv-.lem itself 
or threats carried on the svslem against networked targets Despite these 
vulnerabilities, the Obama administration is moving forward with plans that 
would increase, not decrease. U.S. dependency on networked technologies for 
llie endue I of commerce, the control uf critical s\ stems, and the execution of 
government responsibihlv lite National Hiviadha'id I'lau identifies expanded 
broadband access as Ihe "foundation for economic growth, job creation, global 
competitiveness and a better way of life." - The plan identifies sis. ""Goals for a 
I kgh-l'crformaiicc America, in which Internet svslem-. would provide mas-uvc 
lie" effieicnov gains in ever.- economic -color ai'.d in the dailv lives of each and 
every American. Goals include a national broadband network for first 
re.spondcrs lo prov ide interoperable communication during disasters and a Smart 
Grid that connect-, individual consumers lo the pow ci giid foi real-time power, 
usage and rale monitoring, (.riven Ihe current ovher threat environment, 
extending I 1 S dependence is ai besi naive and al worst could create a sanation 



in which America's humulaml is \ iilucrahle Id bdlh stale and in instate adors Unit 

Mill Sc'ck Id sl.ld lllC Ll;it 1 1 L-ll^l lI Slid lid IlLUill Id I IS. .sOCICt\ in C) bciSpaCC. 

In seeking lo reduce these llucals. tile 1 killed Slates must also he mindful that 
security is not an end in itself, but a facilitator for economic exchange :aid 
improved efficiency Too much secnrily will reduce (lie usability of the network, 
slow mg 1 raff it and creating bamers fdr new uses and new users While slrdiigcr 
gdvernance i.s necessary, thai governance should lie tailored lo .speei Ileal K 
address a narrow sel of seetiritv concerns surrounding crime and warfare 
I'rdpdsals hv China. Russia, and oilier aulhontarian regimes io improve 
"mlormaiion securiiy" — iheir chosen phrase — are not in fad abmii ihese 
eoiieem.s. hut abotil their desire lo limit dissent and access lo inform at urn 
deemed lli:c:;lciiine then regimes 1'roposal-. io build in hacking lo all packet-, 
so I hut even action Liken on '.lie network cin be inslamaiieouslv Iraced hack to 
an individual, for mslaiice. would be cumbersome and eosilv and do little lo 
combat crime or limit warfare. They would, however, constrain the average 
user's ability to access informal ion and engage in political dialogue 
anouvmouslv Criminal group., inlelligenee agencies, anil im-iiarics will find 
ways around such controls, while average users will be subject lo ncar-lolal 
surveillance of their online activity — Such a sysiem would have a slillmg effect 
on the usability of the network as well as barm U.S. interests in the promotion of 
freed. 'in ..aid democracy around ilie globe though ilic-re .s aide lhal die I hilled 
Siales can do lo con\ nice China. Rus-aa. and olher aalhonianan regimes lltai 
anrcslricled Inlemcl access and the openness and freedom of expression lhal 
come with it are in their national interests, the international community would 
be done a dissciv ice if die doled Inleriiel evolved io rellccl die values of these 

To avoid this oulcomc while preserving and extending Ihe Internet as a 
mechanism for economic exchange and efficiency . ihe t ]uitcd Stales musl Work 
w itliin the international system to constrain actors with malicious mlent, develop 
cooperalo c mechanisms lo pursue cyber criminals, limil espionage, and develop 
norms iigainsl Ihe initialion of conflict in cyberspace. The allemalives lo this 
approach arc unappealing. They include being forced to scale back the 
nclwoiking of systems, extensive regulation for security that would be cosily 
and nurdensomc. the aclive prolcelidii of crilical infraslniclurc in cv bci spaec hv 
government agencies similar lo die takeover of airline security afler 9/1 I. and 
ihe increased use of offensive capabilities lo slop adacks If Ihe I J ruled .Stales 
docs not engage, other countries wall shape the future of the Inteniel hut 
ni'.dciiiiii'.e Ihe iielwoik as a mechanism for ihe free exchange of uifdnmdioii and 
political discourse Clearly, in light of these allertiatives. inlernaijomii 
engagement to improve seeurily and limit aelion in cy herspaee is preferable. 



Principles for Engagement 



The Minted Staler, is no longer Ihe sine qua non for Internet governance 
Nonprimcipaliia'. '.vitliin Internel lli. >\ " l- lj i li n ^ t- Jorums h\ the I'niled Stales will 
nol keep other countries with objectives counter lo lliose of the United Stales 
from shaping Ihe future of the Internet. The United Slates gains nothing from 
being perceived as dcleiniuicd lo use computer iiclvvoik ailaeks without Innii 
While ii -honkl locus most of its elTorl on building inlonijal consensus and 
de\ eloping mkrriial ional mechanisms lor cooperation, ihe 1 "niieJ Slates needs to 
engage on lis own terms rallier than 111 In prevent international discussion of Ihe 
topic It has little to lose by talking. 

Am ;i general principle, ihe Uniled Stales shotiki support processes that allow 
icpicsculativcs lilim llic leehmciil community. Ihe private sector, and Llser and 
consumer groups lo sh;ipe police and avoid .-.;alc-cent lie processes loi handling 
lechnical i-sues Iniergov ernrneni al Jorums, however, are nccessiuv for bringing 
(he rule of law lo Ihe Interne! Through engagement. Ihe I. ■lined Stales can shape 
solutions lo the security challenges in c\ herspaee in ways thai align with other 
interests m expanding international trade and achieving greater ceonomie 
cJ't'iciencv 'Ihe Kniled Suites will need lo develop separate agendas and 
strategies for pursuing these agendas n liie areas of crime, hmiimg stale actors, 
and developing secure standards, but there is a set of m crarchiiig principles that 
should broadly guide U.S. engagement in this area. 

TAKE A NETWORKED 

AND DISTRIBUTED APPROACH 

To pursue its national interesls in cyberspace, die United Slates should support 
open processes that welcome a wide range of participants from the technical 
cianmunilv. die private sector, and user and consumer groins ;o shape policy 
and avoid stale ecn'.rie processes lor handling lechnical issues. No -ingle forum 
can possihh encompass all the issues and players involved in addressing 
security concerns in cyberspace Instead. Ihe United Slates should nurture a 
range of forums some multilateral, some bilateral, and some regional to 
iaekle these challenges. Sep, irate coalitions mav he necessaiv lo addles. llic 
technical a gen J a and \ arioas aspecis of I lie iiuernal ional legal agenda including 
crime, corporate espionage, and slate coullici. Regional coalitions may also 
prove effective. Though c\ her threats do not vary significantly by region, il may 
he easier lo foster a series of agreements within icgion-l organi/alions than to 
reach a global agreeiirenl. Instead of liv ing 10 caiole former colonies mlo a Ireatv 
|inl together by former colonial powers, repliealmg the Council of Europe. 
Coirveiitiou on Cybercrime m llic Organization of American States, the African 
I Jnion. and the Associalion of Southeast Asian Nations i A.St :AN i mav be more 
eiYeclivc. (llohal coalition^ thai addres. more specific problems mav also be 



effective. Initial ly. these coalitions should be loose and informal, seeking 
support from nations whose interests are aligned w ith those of the I tinted Stales. 
I radilioiial 1 1 N allies are a good starting point, but efforts should Iv itiaJe to 
active Iv recruit more ibr.n the usual handful of Western suspects A iareel li-i ol' 
nations from which 1» seek support could include Ihe ihiny-one countries ill llic 
Ol-iCI). plus smaller and less developed nations that arc working to address 
cvber crime, including I .stoma, ihe l'ii:l ippnie-.. and llic I )oniiniean Republic. 

HOLD STATES ACCOUNTABLE 
FOR THEIR ACTIONS 

Sccitntv slratcgisls have been parah /ed by the '"attribution problem"" for more 
than a decade. Attribution for cyherallaeks is made difficult bv lour faelors: first, 
cv hei ailaek'. do uoi require geographic proximilv. second, there is no equivalent 
li> radar systems io delect the origin ol' an attack as there was with t old War 
missiles-, iliird. llie protocols that govern Inland traffic are fundament allv 
uiseeure and llic origin of packets can be masked, and fourth, cybcrallaekers w ill 
IV picallv Lise one or more compromised svslcnis as -ale lauiiehing poinl lor iheii 
aliack crossing multiple inlernalion.il boundaries in order Io complicate the 
investigation process. 

While technical solutions to the aiinbution problem and oiher seeuniy 
problems with Ihe Internet's architecture must be pursued, the problem of 
allrihinoii -.hould ma no ■ ■■■■ erskacd At present, llie ahdiiv li> wage :aiv thing ll'.al 
rises to Ihe level of "war" in cvberspace is possessed by al most iwenlv groups 
worldwide, hall' ol" which are rial ion -si ale actors and llic oilier hull" of which arc 
private criminal groups closely aligned with nation-slates. In the event of a 
mails' attack, ihe lis| of potential suspects will be small. Technical means ol' 
ideiiub. ing attackers continue io improve, but ihe importance ol' real-world 
intelligence and investigation should mil be overlooked. Ironclad attribution by 
technical means may never be achieved, as criminals and cyber warriors will 
work to idcutilV vulnerabilities in anv new protocols or surveillance sv stems, 
though something :=kiii to probable cause for further investigation can almost 
always be achieved. 

When cyberattaeks occur, all loo often stales will claim no responsibility and 
offer ""palnolic hackers"" who cannot be identified or controlled as the likely 
culprits. Thev will also refuse (o allow investigators access to potential suspceis 
or to systems inv olv ed in ihe incidenl on Ihe grounds dial dome so would viohac 
nalional sovereignly. On at least two occasions — the attacks on !:sionia and 
(ieorgia — tins was the Russian response. Similarly . the Chinese government has 
cast oil' all respoii.sibilitv for cvberal lacks thai 01 ieuiale from sv stems within its 
eoiiiitiT In earlv dub). lioogle wa-. aKc >■ trace :. -iiicco-ful hackinc caitioaier. 
that stoic proprielarv information from ( iooele .iiilI up 10 thirty oilier American 
companies back to servers in China Chinese goveniment officials argued Ihat 
llic sv stems used in the attacks wcic proxies that had been compromised due to 
llie widespread a-e of pirated software and unseen re svstems in their coumrv 



Each nl' these explanations may be true, bat in either example, with evidence 
pointing toward criminal activity targeting unc country thai nan he (raced lo 
another, the burden of proof should now shift to the country hosting die 
tinlaulu! jeliwu Countries Ihul do not cooperate in criminal investigation-- 
should understand that failure to cooperate will he treated as a sign of 
complicity. States can be held accountable for their actions, those of their 
citizens, and systems in cyberspace.'-' The United Stales requires a range of 
options and in cell an isms for punishing stales thai routineh attack others in 
ey herspace or allow Iheir Ifmlory or systems lo be used by criminal groups 
Responses can include both traditional diplomatic protest, sanctions, and 
military action as well as network actions, including higher-level scrutiny for 
Internet traffic leaving states that do not cooperate and ultimately blockading 
access to U.S. and allied networks from slates that continue lo be outliers. 

LEAD BY EXAMPLE 

I bu : . tinted Stales eaniiol call on others to lake action without also commuting 
lo show restraint in the use ol' force in cvhcispuee. curb ivhcr criminals at home, 
and lake steps lo reduce malicious activity on U.S. networks Diplomatic efforts 
should make cleai thai U.S. military and intelligence activity in cyberspace is 
I tic used on defending; ihe i hilled Si ales :uid oioicelnig freed": is of inlei national 
information Hows. The United Stales should commit lo \igorouslv pursue 
eriiiiin.il prosecution of any em/en thai engages in "hae-ln i.-m" again si foreign 
states, and should expect other countries to do the same. On cyber Crime, the 
federal liurcaii of Investigation I f'HI .1 should be funded to dedicate resources to 
invesligalmg cv hoi eiiminal actiun dial i alginates on US. soil hut targets 
victims overseas. "I'he United Slates should also lead efforts to clean up its 
portion of cyberspace, reducing its share of computers on the network that are 
either pails of botuets — networks of compromised computers used to early out 
attacks or the origination points lor attacks It should also work to establish 
inci-ha:i!-m-. to shut don n attacks on foreign svslein- that origtnale from I.J. S 



Pursnint; International Entitlement 



Guided l">V lliis sol of principles, [he United Stales should pUISHC 111 interests: Oil 

throe tracks, first, i: should lead the crcalion of a -wronger set of i [i Ku Ij I J i 1:1 m ■ 
regimes In lighl crime in cyberspace Because addressing cv bur crime alone will 
nut reduce threats to the network and to the network si. .stem to a sufficient level 
that Ihcv can he busied. Ihe United Slates liiusl also pursue a second track to 
constrain -.lale actors in cvherspace. hnallv. the I mice Slates should undertake 
efforts to secure I he Internet's nil deriving technologies 

REDUCING THE THREAT OF CYBER CRIME 

<_'\ liei ci line liar, become tile occupation of choice for smart criminals because it 
offers low risk-, and 111 eh row aid- \\ hereas r.alMnal local milhorilv I- hounded 
by borders. Ilie Internet is not. Criminals exploit this fact by carrying oul cyber 
crime in one country from the sale confines of another, preferably one with 
weak laws and limited enforcement, investigation, or prosecutorial capabilities 
Combating ovhci crime, therefore, require- all countries lo pass laws dial make 
international cvher crime illegal, and lo develop mechanisms lo slop, 
investigate, and prosecute atlacks originating in one country thai large! victims 
in another. The United States needs lo put its weight behind multilateral 
initiatives I ha: pro\ ide on', mines with assistance in develop inc. local I ramciidi-.. 
and ciilin"eemcnl eapabdilies. a mechaiu-m for judging the offee liveness of 
ualional efforts al comhalmg cvher crime, and a process thai provides holh 
positive and negative incentives thai promote adherence lo mtcmalioiial legal 
standards 

FOCUS EFFORTS OUTSIDE THE COUNCIL OF EUROPE CONTENTION 
ONCYHERCRIME 

ki'forts lo develop a solution lo Ihe problem of inlcraalional ev her crime have 
centered on llic Council of kurope's Convention on Cvbercrime. "fhc convention 
was dev eloped to cslalihsli a haselmc scl of Ian s thai parties to the treaty would 
pass lo criminalize coiupulci clinics and lo provide a mechanism for cross- 
border cooperation.-- 'fhc United Stales put its diplomatic weight behind Ihe 
convention in 2000 after the Tailed prosecution of Ihe author of the 
"11.0 VI (YOU" computer virus. In that incident. U.S. law enforeemenl 
aiilhoi ihes ucie able lo trace ihe virus's development to a student croup In Ilie 
I'lidipi'iucs hat '.\eie unable to gun extradition for the vim- s author hceau-c the 
crime ho had eommiUed was not aga.nsi i'hilippine law The convention was 
finalized in November 2001 and came into force in July 2004 after live 
countries ratified it. As of May 2010. twenty -nine countries have ratified the 
treaty and seventeen signatories are in Ihe process of considering ratification.— 



Though the convention has helped develop on international standard for 

cruimiali/ing c\ bcr crime, it has not lod to an appreciable reduction in cyber 
crime The mechanisms lor international cooperation <J eve loped by the 
convention are hilaleral and prosecutorial. pro\ iding no conduits to coordinalc 
law enforcement aclivily across borders or lor network security professionals to 
coordinate (eehineal solutions when attacks occur Members of Hie convention 
include Mime of die worst cvbcr-criminal havens in eastern l.urope. such as 
Romania and Hulgaria. Manv countries. mosl nolablv Japan. Itave been 
unw ill i n y 10 ratil\ the [real} simply because it was constituted under lite Council 
ol" Km-ope. The convention lias served a purpose in hying out a legal framework 
lor harmonizing national laws on cyber erime and for providing cross-border 
mmual assi-tar.ee. kil adding signatories t-. ■ ihis particular doetimeul i~ neither 
necessaty nor sulhcieiil lor reducing cross- horder cyber criminal activity 
t iiihkc amis limitation treaties, where reductions h\ one stale can occur only if 
all parties agree to a reduction in force, the passage of cyber criminal laws is in 
tile interest of uido idual Males regardless of whether other states pass -.itch law s. 
bceuuse cyber criminal-, lend no; to confine their aein ities soleh to foreign 

USE THE FINANCIAL ACTION TASK FORCE ASA MODEL 
Ihoiigh as a general rule. Ihe l.r.ilcd Slater, should foslcr processes that arc 
deceit ira I i/ed and ine la sue of the technical coin ni Lira I'. . I lie pri\ ale sector, and 
user and consumer groups, there are certain problems onh stales can address 
One of these is cyber crime In creating a new regime to reduce international 
e\ her crime ihe goal should be to narrow h address existing problems in the 
investigation, apprehension, and prosecution of cvber criminals, u idi the -ighiesl 
organization possible. In areas in which governments are Ihe only aclors w-ilh 
Ihe authority (o address problems in cyberspace, they .should do SO to the 
minimal extent possible. 

The United Slates should therefore promote the adoption of national -level 
criminal laws and the dc clopmcnl of less formal mechanisms foi cross-boi dci 
investigation and proseealion through tile creation of a new :ntci gov et nmcnia: 
bodv modeled on Ihe bin uncial Action Task Force (FAIT), an orgar.i/niior 
crealed to promole Ihe development of national and international policies and 
capabilities to combat terrorist financing and money laundering.— l-slablishcd in 
I h\ the (iroup of Seven 'i!7 i in concert with the I uropcsii Com mission and 
eight other countries. FATb began its work by estuhlishing a set of lorn' 
recommended policies thai countries should adopt b.ATb quickie expanded and 
now covers (huly-four countnes that together account for most global financial 
haiisaclioiis. After the terrorist attacks of Scplcmhci II. Ztidl. combating 
lerrorisi financing was added to Ihe FATF mission and the organi/ai ion's 
standards were revised to address Ihe new issue. In addition lo developing 
recommended policies and standards. KATk also monitors member compliance, 
with those standards and helps implement them. Monitoring is done on a 



ninlnlaicral peer-review basis under u program known us Mutual Evaluation 
FATF has also given rise to a series of FATF-stylc regional bodies that have 
adopted a similar mission within specific geographic regions.— With an 
accepted set of standards and objective mechanisms for nionilormc compliance, 
the FATF has created the basis upon which Ihe [ Iniled Stales and other countries 
can threaten noiicompliant nations with the loss of access to international 
financial networks. 

A similar organ i/at ion .houlJ he cs;ahh-hed to do for evher crime what FATF 
ha- done for monev laundering The 1 'ruled Suites — loccthcr w ilh oilier ( llii.'l ) 
countries and smaller nations supportive, of the agenda — should establish the 
oigaiu/alion and develop criteria to evaluate uicuihci ship applications by other 
countries the etgani/alii >n should begin h\ developing model policies based on 
Ihe Council of liuropc Convention Ihe III " Toolkit lor Cvhcrcrimc Legislation, 
and other recogm/.cd best pnielic.es.— As with the FATF. this work should be 
completed within the first year of (he organization's existence. Once the 
lecommciidcd policies lime been developed, the organization -hould oegin 
assessing member countries againsi th.c developed -NtanJiit'dM '1'hc a-ses-mcMs 
should also provide a roadmap for correcting any problems identified anil 
establish a process for periodic review of progress made in addressing the 
identified problems. 

NAME, Shame, and sanction cyber criminal sanctuaries 

I he organi/alion should also conduct an annual global review of both member 
and noumemher countries that assesses countries' legal framework- 
enforcement capabilities, and overall levels of cyber crime. For other 
Iraiisnaiional problems, compiling an annual index Or report of the best and 
worst states based on objective metrics bus prompted main slates to improve 
llieir behavior Models include I ran-oarencv International s Corruption Index. 
Ihe UN Office on Drugs and Crime World Drug Report, and Ihe World Bank's 
Governance Matters Index. Oxford Interne! Institute's Mapping and Measuring 
Cvhci ciinic Forum has begun to explore what metrics could be used in such a 
ranking. 1 ' These rankings would be an effective mechanism for "naming and 
shaming'' countries to address cvher criminal activity and to become members 
of the new organization. 

These independent ratings could then be used as ihe basis for (he organization 
to work Willi Ihe worst states to develop plans to remedy Ihe gaps in their legal 
and enforcement mechanisms I Ttimaleh . as with the tA'l'F recommendation-. 
and evaluations, ims process could provide the basis on which countries are 
sanctioned lor failing to address cyber criminal activity. Sanctions could be 
undertaken bilaterally or mullilalerally. and could include Ihe withholding of 
development dollar- targeted for [nlernel infrastructure developments Countries 
that do noi clean up their cvber-puee could have their alternation, d Imentel 
traffic subjected to Deep Packet Inspection (DPI) or oilier higher levels of 
scrutiny that would slow the How of Ihe traffic. As a last resort failure to 



improve could result m the blacklisting of national IP ranges (if Ihe worst 
offender nations liy the organ izat ion's mem her slates.^ 

riKiMmshi ixyRASTiiirrURt: development aid to 

CYBERSECURITY COOPERATION 

The new orgam/aiion should also work wilh oilier inluniational organizations 
that ]iroinole the development of [uleniel infrastructure to ensure that tliese 
i i i \ " l_- r-.! i n 1 i 1 r-. ate earned out in coiiiunclioi! vviili in vestments in Ihe dcvclooi uenl 
of local, incident-response, and eiiforcemcnl capabilities Ibis effort ean also be 
promoted within Ihe I.! S government Projects by the I hiiled Stales Agency for 
Inteniatioiuil I levclopmenl (liSAIDl to [ay fiber in developing countries should 
be done in concert with legal assislanec from the Justice Department in 
developine mvesiieaiion and prosecutorial capabilities Currcntlv. there is no 
eonneeiiou between ihe lwo elforls The Stale Depanmcni should also pressure 
allied nations and international development organizations | (J adopt similar 

ESTABLISH OPERATIONS CENTERS TO COORDINA TE REQUESTS FOR 
ASSISTANCE 

finallv. ihe organization could help resolve Ihe problem of inlcmaiifiia. 
coordination 10 slop cyber crimes in progress and lo investigate and prosecelc 
attacks llial cross inleniatioiial boundaries onee Ihev have occurred. The current 
bilateral process is slow, cumbersome, and expensive, even lor the United Stales 
w nil its well-stuffed embassies and lee a I alia cite offices spread acro-s the globe, 
lei alone lor smaller sutcs thai often fall victim lo cvher crime ihe tironp of 
Ijghl I ( iK) Subgroup on High-Tech Crime lias laid the groundwork for this 
effort, providing a mechanism foi cooperating on cyber crime on a 24/7 basis. 
This effort could be improved upon hv having the organi/alion csiahlish 
opera I ions ccnlcrs a:ound the glohc staffed bv member country law enforcement 
personnel These centers eonld provide a twenty-four-hour resource, prov tding a 
valuable link between law enforcement personnel and network security 
operalions centers, tine goal of this effort should be lo create a mechanism by 
w hi eh. requests j "i . > n 1 eov eminent agencies and tlie privalc sector in otic eounlrv 
ean he passed lo niilhonlie.s in another country and then passed down lo network 
operators to have eomm a ud-aud- control servers or hosts in botnets shut down. 

LIMITING STA TE ACTION IN CYBERSI'A CE 

Cvher crime is onlv a pari of Ihe current security deficiency in cvher-pace. Slate 
activity may be doing more to undermine trust in Ihe network than cvher 
criminals. Whereas ev her crime can be written off as a cost of doing business, 
the actions of slale actors threaten the verv model of eonncelivitv and Ihe 
ic-iillanl clficicncv Liuins. i because slate actors prc-cnl an a. touchier higher level 
of capabihlv . nothing lhat is connect cd to Ihe network ean be considered beyond 
their reach. As a result, if slale actors cannot be constrained through leehmeal 
defenses, thev must be eon.straincd us olhci c.a\s If consli amis caiuiol be pul 



into place, the efficiency gains from connecting in the network may end up 
costing mure than they are worth. If critical infrastructure continues to he 
roir.inelv exploited, preparation of Ihc haiilcficld niav b\ ilsclf c:"calc confiic;- 
y. hero none would luu e existed If stales continue In target foreign .Mm panic-' 
intellectual property and to transfer that intellecluai property to nalional 
companies, (lie global system of research and development that allows around- 
the-clock work lii he conducted nun he dismantled. 
END OPPOSITION TO TALKS ON WARFARE AND ESPIONAGE IN 
CYBERSPACE 

To address these concerns, the United Stales inusi work to develop new norms 
01' stale bciiai iol in c\ tvrspaco. for ihe past decade, the 1 huted Slates ilas stood 
in opposition lo anv discussions on these areas and attempted to keep Ihe 
international community focused onh on addle-sing cyber crime. U.S. 
opposition sieins from a view thai eommilments by slates lo restrict their 
activ ities in cyberspace would not he honored and thai vei ifieatioti llial slates are 
meeting their eommitments would be all but impossible.— This position, 
however, is derived from Ihe application of the Cold War amis eonlrol 
experience, which is not readily applicable to Ihe current problem of 
eyherseeiinly. [.milled and focused international agreements could benefit llic 
United Slates ill some cases. Moreover. I! S unwillingness lo encage in 
uegoli.aious || M . subject onlv [ends credence lo Ihe view dial Ihc Untied 
Stales seeks hegemonic domiiiiilion of cyberspace 

The United Slates is Ihe mosi feared bogevmaii in cvbcrspisce, given its 
historical role in developing Ihe undcrh ing technologies and the high level of 
capability within U.S. military' and intelligence agencies Maintaining U.S. 
capabilities in e\ploilalion and altaek at a level above all rivals is certainly in 
I 1 S nrcrc-.U. being perceived as bioir.g aiul using these capabilities clearlv is 
lioi file mihlari/alion of cvlier-psce threaten- Ike single global, inieyopermk' 
network, the existence of which has created tremendous economic growth, lied 
nations more elosclv (ogelliei through shaied commerce, and accelerated llic 
exchange of ideas across cultural and international boundaries. Refusing to 
engage publicly in negoli.iiions over I milling cvber m arfire only in creases fears 
thai the I hilled Stales seeks lo dominate e\ berspaee and iilans lo use Ihe domain 
to gam war-fighting advantage, "flic United Slates should make every effort lo 
offset llial perceptual. Negotiations mav not lead lo Ihe creation of a treaty, hul 
there is little harm in entering into Ihem. fhe Ohmna admuiislralion has 
embraecd Ihe value of talking mlemutioiially Cyber warfare should be no 
exception. Participation in the UN Group of Governmental Experts by the 

United States is a good si ail bin engagement niusl be far w ider mid deeper. 

Engagement docs not mean, how e'er, thai the United Slates is forced to 
accept current Head option-, that are not in I 1 S interests. The curreni Ru-.-iuti 
proposal for arms control in cyberspace would commit signatories lo abstain 
from developing offensive cyber capabilities or from engaging in cyber 



espionage, w bile prov iding no viable mechanisms for v cnlicalion. The historical 
record ill' the chemical and biological w capons conventions raises doubts as lo 
whether Irealv commitments thai cannot be verified will load In mcaiiinef'.L 
reductions Moreover, if the I 'niled Sink's met its obligations but other 
signatories did not. a Irealy without verification would place I he 1 tailed Stales al 
a strategic disadvantage. 

The FqCUS on restricting the development of cyber w capons conveys a lack of 
iir.dcrslanding of llie true nature of cyber warfare, Advanced threats in 
cv herspuee arc nol automated hoi-, or norms-, bii; human actors The most poicnl 
weapons are not logic bombs and Trojan horses but the people who design them 
and can use them as part of an organized, persistent effort to gain access to 
I a ice led sv stems. e\ploii them foi in formal ion advantage, and corrupt or dcslrov 
Jul. 'j Moreover, unv defensive pro cram require- masierv of offensive opera Hons 
to be able lo defend against (hose operations In eyber warfare. Ihe ability to 
replicate a software program instantly means that any exploits developed for the 
purposes of testing eotinlcrmcastires can quickly be turned into an offensive 
operation, (riven this reality, attempt-, lo limit the development of offensive 
eyber operations will come lo naught because verification that slates had not 
developed such capabilities would be all but impossible. 

EXAMINE TREAT? OPTIONS AND NORMS DEVELOPMENT AGAINST 
TARGETING CHILIAN SYSTEMS 

fhe problem of verifieal ion. however, does not mean thai there are no issues 
ill at iiilc:"tia;ioiial tic col lal ion-, mid agreements eon Id meal line fu I Iv address 
Instead of focusing on limning llie development of eyber weapons, irealy efforts 
should focus on limiting stale aelor penetration into civilian systems that have 
limited, if any. intelligence value. Currently, too many countries are conducting 
offensive evher operai ion-- under Ihe soparale ■"■til rcaceo guises of espionage 
and "preparaiion of live battlefield " Actions such us peuciralme llie power grids 
of foreign nations so that they can he taken down in u time of war are 

Jesiahib, 1 1 1 ;_ i inciease llie likelihood thai a coillliel in cyberspace will spill 

over into the physical world, flic I cited S:ales -Jiould also seek lo avoid having 
ey heraiiaek- iurn inio u new and dangerou-. form of protest, -omew here between 
issuing a demarche and a military response. If cyberatlacks become an 
acceptable form of international protest, the effects could be eNlremely 
dc-.;ahib/iiig economically and could o|ien Ihe door lo convenlioiia I miblaiv 
conflict. 

^Hernalior.ai agreements 'o sel power grids, ihe financial sector, and oilier 
components of civilian infrastructure off" limits may ultimately be in U.S. 
interests. Hut al (Ins stage, most countries, including Ihe I lulled Stales, are likely 
unwilling lo foreswear the intelligence value gained from csqiloirjng these 
sv stems, 'fhe 1 1 S govern men: should 'veil', a process lo dc: ermine w lie! I let and 
Under what eondilions such agreements would be in UK interests (the Irugihiy 
ofllie.se systems and the costs associated Willi protecting tliciu inav ultimately 



outweigh the bunuj'itr: gained in exploiting adversary sy stems) Though il may be 
loo early lor such a proposal to meet Willi adequate support within the U.S. 
p'^.x-i iin-t-:it ai!d foreign governments, two areas are already ripe for an 
iiilcrna;i>iiial agreement In limit slate action in cyberspace. In each area, ihere 
are no intelligence interests ;il slake. The I hilled Stales should develop proposals 
lo address separately Hie seciinly and sanctity of vool operations dial allow tile 
Internet to fLinelion ai'.d lo ban dcnial-of-scrviee allacks. 
RECOGNIZE THEROOTASA STRATEGIC INTERNATIONAL ASSET 
The rool has been al Ihe eore of liiternel governance smee Ihe developmcnl of 
Ihe Domain Name System in the 1980s. DNS provides the neeessaii link 
hcluccn human-readable domain names like (. bRaug mid machinc-i cadablc IT 
addresses like Mj.4d.21.l4H The DNS relies on thirteen rool servers lo provide 
an l ho i i i alive sij formal ion for all lop-level domains i com. .nel, .us, .jp, elc.| lo 
begin Ihe process of resoh ing a request for a wchpagc or email server. IrTforls 
are under way lo improve the security of the root, bul rool operalions remain 
\ uhictahle to hoih penetration allciiipts and large-scale, distributed, denial-of- 
serviee attacks liasuisc ihe inl'orniaiion lamiaiiuvi in Ihe rool /one file is bv its 
nalure public, no intelligence value can be earned from attempting lo gam access 
lo a rool server. An agreement lo recognize the root as an international strategic 
asset ill at -talcs will not a II cm pi to di.-rnpl would be in ! 1 S interests and eon hi 
serve as a first slep to redticine lens ions m evherspace K.S. control of I he rool 
eonlimies to be an issue, and while Ihe I niiled States has w ished lo mainlam lliis 
role only lo ensure that the rool continues lo function, it may he in U.S. interests 
lo find an iiUciTialioual mechanism lis slew a id ship of I lie rool as part of a grand 
bargain on Inlemet governance. 

PURSUE A TREATY TO BAN DENIAL-OF-SERV1CE ATTACKS 
As w ith a treaty lo protect 'lie rom. an inlernntional agreement lo ban detnal-of- 
scrvice allacks would focus on a narrow- problem Ihal is nol complicaled by 
intelligence collection. 1 )cmal-of-sen ice allacks are. by their nature. brlltc4'orcc 
n canons thai ilo not require networks lo he pencil irec. bul cab. ca si noted I hcv 
are also a deva-Tiling weapon thai lias beer, cmploved both cruniiialh. and in 
slale-level eonllicl. In at Ieasl three instances, Ihe Russian governnienl and 
mtlilary have engaged in or encouraged demal-of-seivicc allacks on foreign 
nations Ihal crippled die victims" liilciiicl infra struct tire and the services that 
relied on il. these attack- include the 2dti7 attack largcliiig b.slonia. the 2di)!s 
allaek largeling Georgia, and the 2(>(i') nllack largcling Kvrgy/stan. Unlike 
computer network exploitation, which may be used for sabotage or espionage, 
deiual-of-serciec attacks can only serve the purpose of sabotaging a system. 
1 bus. I lie 1 fined Slales -.hi si Li promote a treaty thai would commit signatories 
lo a policy of hunting Jemal-of--ervicc aii.icks outside conventional conflicts 
l-ianuing such allacks under an international treaty could be the first slep lo 
cslabhshiug i csponsibi ht\ in cyberspace. Most demal-of-serviee allacks are 
earned out by criminals for Ihe purpose of extortion. The assistance ihal slaics 



provide 111 shutting diiwn a distributed denial -of-serv ice allack can be used lo 
judge w hclbci the attack is condoned by the stale or conducted against its will. If 
stales as.i.l in slopping ".lie attack, iben Hie atlaek .hould he trcaicii as a criminal 
matter On Ihe oilier hand, if stale, are nol rcspon.tvc. it should he taken to 
signify ollicial approv al of ihe allack and therefore viewed as a hostile act. 

LAYING OUT THE TECHNICAL AGENDA 

To dale. Ihe focus of ihe Inlcmci technical eommumlv has been on 
inlcropcrahililv As ihe leciiii"li >gics ilia; make ihe Iniernel work continue lo 
evolve, that focus needs to shift to security. The Internet's underlying 
technologies wcie designed fOl a closed network in Which access was closely 
controlled and all asc:s ■.'.ere irusled fhev were nol hudi and designed for Lie 
purposes ]\.r which Ihe arc now heme used This problem, lone recognized 
within lechniciil circles, has vet lo be adequately addressed. The 2003 U.S. 
National Strategy to Secure Cyberspace identified vulnerabilities within three 
"key [nlcrncl protocols' . ihe Iniernel I'roloeol. w hich guides data from source to 
de-:iiialio:i across Ihe Iniernel: the ilomain Name Svslcin. which lianslalcs II' 
numbers into recount/able Web addresses, and Ihe Border Gateway Protocol, 
which provides the connection between networks to create (he "'network of 
networks."— None of these protocols has built-in mechanisms to verify the 
origin or authenticity of information ->cnl to Ihem. leaving ihcm vulnerable to 
bciin: spooled orollierw:-e mauipulalcd bv mahcious actors The 2')n.' slrsiegv 
recognized ihcse problems but eonehidcd that ""private indusiiv is leading llie 
effort lo ensure that the core functions of ihe Internet develop in a secure 
maimer and limited the role of :hc federal go\ etnmenl to cm a el mating "puhlic- 
private parluerships to encourage . the adoption of improved security 
proioeols "— Nearly a decade later, these problems sltll plague the Internet. At 
thts poult, it is safe lo conclude that the "'coord ma lion" and ""encouragement" 
model ha. no; \ iekled ihe desired result., and .hunger leadership bv Ihe federal 
government is necessary. 

By prov iding leadership technical ass;. lance, and funding Ihe United Stales 
can foster Ihe development and adoption of a new set of secure protocols lhal 
will address main of the vulnerabilities in the current Internet architecture yet 
foicslah ihe dcvelopmeii; and adoption of protocols Inal go Uvi fa:" toward Ihe 
development of an online surveillance -talc or n.k Ihe breakup of ihe lulerr.el 
into a series of Balkam'zed and unconnected national networks. As Marcus 
Sachs lias written, the goal is to avoid a "technical Cold War"' in which the 
United Slates. China, and fin rope develop ""technicallv different and 
iioiiintcropcrahle computer networks based on protocols and rales thai fit each 
society's values, ethics, anil legal systems,"— 

DIRECT THE NA TIONAL SCIENCE FOUNDATION TO DEI 'ELOP A 
TECHNICAL CHALLENGE TO THE IETF TO DEJ FLOP SECURE 
PROTOCOLS 



The best \\u\ lo forestall this outcome is to help creale ;i suite of protocols lh;il 
adequately addresses sccurin concerns without breaking up the Internel or 
luming :i :n;n a ii.mIuI platform In: -Ml. 1 control. . o: more ih;ni two dciaocv 
hilernel I : . nginocring I ask force has driven ihe dcvck .pnieiil of the technical 
standards Ihiil make (he Internet Junction. An open community oj' Icchnical 
experts from around the world, the IKTF and its members have guided the 
evolution of the Internet foi ;i generation and should be given the oppnrlutuh to 
addiv-s I ; iViLi-i|v deficiencies il".a' plague the curcin network o ir.ivil with 
ils allies. Ihe 1 1 S gnvemmcui should challenge ihe IHTk lo develop a new suite 
ol" more secure protocols. "I he goal, best stated by former director of national 
intelligence Juki. Michael ""Mike" Vlci-'onnelk should hu lo 'rocrg ineffl the 
Internet to make attnbuihin. gcolocaiioii. intelligence analysis and impact 
assessnicnl — who did il, IVom where, why and what was the result — more 
manageable.""— II should not, however, seek lo embed into the imderh nig code 
of the Internet perfect attribution that would be the ultimate tool of the 
sur.callanee stale. 

The National Science k on tidal 10:1 .. NSk : should lead the effort to develop the 
lechnieal challenge and should do so in consultation with relevant t'ederal 
agencies, the private sector, ami academic institutions The initial phase should 
locus on clearly slating the problems caused by a lack of security on the Internet 
an J I lien id en', if'. » hot her and how '.hesc p:"nhlcnis can be addressed 1 1", rough Lie 
development of nevv lechnieal standards The NSk should then issue the 
challenge and oversee a system of grants issued through the IETF. The 
challenge should include a deadline of lour years to present a suite of secure 
pioavol- i.nc. begin implementing them. In prcscn: ir.g 111:-, challenge, it should 
be made clear thai failure lo meet I lie deadline would rcsidi m the inilialion of a 
federal effort to create new protocols The United Stales should fund this 
activity, seeking support from other states that agree with the approaclt as 
articulated, in ensure ihal ike challenge is met and Ihal the piolocols developed 
align \\ ith m crall ■ 1 S objectives for developing cyber- pace I lien. incentive- 
musl be provided lo proinolc tueir imiilcmenlalion. 



Organizing the U.S. Effort 



Cvhcr Command is hiisv working In fuse the cvher units of (lie U.S. Arm v. 
Na\y. Air force, and Marines in;*' ;) coordinated effort lo prolcel 1 X-Iljisv 
Department networks; support ground, sea, and air missions: and conduct 
offensive operations in cyberspace when directed Legislation being considered 
in the Senate would give the Department of 1 loinc-land Security the- mission of 
ML-fiiriiiii civilian covernmcr.l -.v sit-ins and adei In >nal power to reiruh-lc 
criocal infra -a rucl lire in 3 ho private -.eelor for cvbcrsecurilv A parallel effort is 
necessary lo ensure thai ihplomiitie efl'ons Willi foreign stales and within 
internet governance forums ale coordinated, resourced, and in pursuit of defined 
U.S. objectives. 

APPOINT A DEPUTY WHITE HOUSE CYBERSECURITY COORDINATOR 
FOR INTERNET GOVERNANCE 

In the Clinton administration, a single official. Ira Maga/iuer. offecliu'U 
managed the L-slahlishinenl of Inleniel go\ eruauee policy and eugagcmcnl Willi 
Internet governance forums. Tile issue is now loo broad for one person lo 
manage L-l'i'e-etivcK". hut the While I louse must have a lead on Inleniel 
governance lo coordinate the development of policy and oversee its 
liiipleiiieiiialion The legislation dial \iould broaden the Department of 
I loinelaild Security's power Vi ollld also establish within the Kxcclllivc ( ll'fiee of 
the I'resident die Office of Cvbcr.spaee I'oliev. moving it inlo the existing 
evher-eairilv coordinator role and -Lengthening ihe po-.il ion's authority, 
budget and staffing The direelor of this offiee should be given a deputy for 
eoordinalmg LIS. Inleniel governance policy u ilh a staff to perform oversight, 
ensuring llial the U.S agenda in evherspaee is being promoted at eveiv 
opportunity. 

CREA TE A NEW BUREA V OF CYBER AFFAIRS WITHIN THE STA TE 
DEPARTMENT. 

The Stale Department should be reorganized and staffed lo pursue the U.S. 
agenda in evherspaee, plaemg the requisite lotus on securing ihe domain in all 
forums and bilateral relations u here cyberspace comes into play. Although the 
St -Lit- ; leparunenl is currently overh. focused ml ihe issue of Internet freedom to 
the delnmenl of cvbcrsecurilv. thai bias can he coiTeelcd by giving the 
department a clear mission for Internet governance that brings lliese seemingly 
competing lnleiesls inio balance and by adequately and appropriately staffing 
the orcaiii/alion with requi.-.i!e expertise and experience At a minimum. Ihe 
Sua,: I }. parlmeiii should iiave tile re-.ource- : lo i-ootdmale positions across lac 
go\ criuneut and accompany all delegations Full-time positions or Stale 
Department liaisons should also he created at other relevant agencies. "Ihe 



investment required is comparatively miniscule, but the benefits would be 

following thu confirmation of (ieiieral Keith Alexander to head <_'\ bL-r 
Command and In- promotion to four-Mar general, tlio 1 lefense Department - 
elTorts in cyberspace are led by the filiocnth-highcsl-rauf iug official in the 
department With the creation of Cyber Command within the Defense 
I )cpailmcnL an equal level of i m p o it an ce should lie given to the issue of c\ her 
diplomacy at I lie Si ale I lepa rime lit. I o Jo lhal. Congress should create a I tare, in 
of Cyber Affairs under ihe Stale Department's undei-.ecrelar> lor political 
.ill. u:s Organizations within Ihe Sliite Department currently responsible for 
international leleeoiiaiiuiiiealious issues. Inleniet liecdom. and eyhei seelliu\ 
should he brought iniu this new bureau, These nielude ihe Office of Cvber 
Affairs in Intelligence and Research, which is responsible for analysis of 
cy hersccurily issues, interagency coordination, and inlenialional affairs- Ihe 
International Communication and Information Holiey group within the Bureau 
of Ueonomie. linergv. and liusiness Affairs, and the Global internet freedom 
Task Force. 

CREATE A CENTRALIZED FORUM FOR THE PRIVATE SECTOR TO 
COORDINATE INTERNET GOVER,\A.\ : CE AGENDAS WITH THE US, 
GOVERNMENT 

The new Bureau of Cy her Affairs should also bring under it existing advisory 
committees within ihe Stale Department related to information leehm ilogv . 
including the Advisor.' Commit lee on International Com man teal ions and 
Information Policy and the International Telecommunication Advisory 
Committee. In addition, a new eommtliee should be established that is singularly 
focused on c\ hci sectlnU A single office sciwilg fiese comiiu iiees should 
provide a centralized forum for die private sector to coordinate Internet 
governance agendas w ilh the 1 1 S goi eminent ' I S com panics like Microsoft 
and Symantec arc important players in lutcmcl governance forums At present, 
the) are sliouldei mg too niueh of the burden and lack eleai dueetion on how to 
promote II. S national interests. Though M S companies mav not always be 
aligned w iih ihe position ol the government, thev should have the opportunity to 
shape that position and to understand the agenda lhat the U S. guvemmenl is 
advocating 

INCREASE FUNDING FOR ENGAGEMENT WITH INTERNET 
GOVERNANCE FORUMS 

The appointment ol' a seiii^r While 1 louse official for Internet goi enuuee ami 
the creation of a new bureau w ithiu the Slate Dcparlmcui to manage Ibis issue 
does in a n'.eai! liar oilier ager.eies do not have interests ol slloukl not have a role 
in inlemalional engagemeni ■ "> i j Inlernel governance. To the contrary, the 
departments of Defense. Commerce. Justice, and Homeland Securiiy — as well 
as .snhdepariment entities such as the National Telecommunications and 
inlomi.ition Administialioa and ihe f'BI — will eontinue to have active 



multilateral and hi 1 ;M I partnerships, bul will do so wiihin a eonsiruet that 
promoles ilit overall U.S. agL-nda. Their iiuernaliotul jfl'ans ulTicts or those 
oiiliiios eneaLit'd in Interne! envurnanct' loinm.-- should he appt;ip:"iali.-lv staffed 
al a sulTk'K'nlly sentnr level and jiirai tilt lime and resoiiRT.-. li> prepare in 
enttaye. Cnrrenllv. interne! gmemanee is nut anyone's day job. 



Conclusion 



I be Internet is ;il li emend point in its relatively carlv history Malicious activity 
earned out hv criminals, spies, and war fighter- threaten the economic growth 
anJ efficiency lh:il Ihe existence ol" a single. yk>bnl inlcropet-iil-ilo network has 
brought IT these threats arc not addressed corislniclw cly llinuigli wider II S. 
engagement, other l-iilii-iLe'lcs will slop in and ma\ arcliilecl a solution that would 
deprive hie Internet of Ihe wit characteristics llial haw made il valuable in Ihe 

(uven these factors the United Stales should move hevond its traditional 
opposition to engagement on is-an's of Internet governance and k'ad ef:or:- 
amonj: like-minded countries 10 address security concerns in ways that will 
enhance rather than detract from the Internet as an engine of economic growth 
The I holed Slates must work to develop new international mechanisms to slop 
c\ hcratiacks pursue cyber criminals, and rein in state actors engaged in 
malicious activity Together with investments to retirchilecl Ihe Internet's 
underlying protocols to make lliem more secure, these efforts can preserve- and 
c\lcikl Ihe eeoiioiine value del ived from the Internet. 
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the risu of new powers, and ibe mounting iniliicncc of non-la;e actors ] ixj-slLnt: 
nuiliilaiorul arrym.icmeuls thus pro\ idc an inadequate foundation lor addressinii 
many ol' today's most pressing threats and opportunities and lor advancing I ! S. 
national and broader global interests. 

Given these trends, U.S. policymakers and other interested actors require 
rigorous, independent analysis of current sliuelures of multilateral cooperation, 
and of the promise's and pill alls of allermilive institutional arrangements, '['he 
ill i< i pro ara in mccis these needs bv jnalv/me Ibe strength-, and weaknesses ol' 
e\isluig multilateral inslitulions and proposing reforms lailored lo new 
international circumstances. 

The 1IGG program fulfills its mandate by 

Engaging LT'R fellows in researeb on improving c\isling and building new 
frameworks to address specific global challenges— including climate 
change, the proliferalion of weapons of mass deslnielion, transnational 
terrorism, and global health — and disseminating the research through 

books, articles. Council Special Reports, and other outlets' 

- Bringing together mnuenlial foreign policymakers, scholars, and CFR 
members to debate the merits of international regimes and frameworks at 
meetings in New York. Washington. IX.'. and oilier select cities: 

- Hosting rotindtable series whose nhicem es arc lo i nb ant the foreign policy 
community of today's inlernatioual governance challenges and breed 
inventive Solutions lo strengthen Ibe world's mnliilaieral bodies: and 

- 1'rovidim: a suite -of-lhe- art Weii presence a- a resiHirce lo Ihe wider foreign 
police com mum 11 on i-siies relalcd lo ihe lulu re o I" global governance. 
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